name: Upload Python Package Pypi

on:
  release:
    types: [created]
  push:
    branches: [main]

permissions:
  contents: read

jobs:
  deploy:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: write
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
        with:
          egress-policy: audit

      - name: Checkout repository
        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
        with:
          ref: main

      - name: Set up Python
        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: "3.13"
          check-latest: true

      - name: Install dependencies
        shell: bash
        run: |
          set -euo pipefail
          pip install .[publish]

      - name: Get Version
        id: version
        shell: bash
        run: |
          set -euo pipefail
          version="$(python3 ./.github/actions/get_version.py)"
          echo "version=$version" >> "$GITHUB_OUTPUT"

      - name: Is Tag exists
        id: checkTag
        uses: actions/github-script@v8.0.0 # v8.0.0
        with:
          script: |
            try {
              await github.rest.repos.getReleaseByTag({
                owner: context.repo.owner,
                repo: context.repo.repo,
                tag: `${{ steps.version.outputs.version }}`
              });
              core.setOutput("exists","true");
            } catch (e) {
              // 404 = Release nicht gefunden, alles andere weiterwerfen
              core.setOutput("exists", e.status === 404 ? "false" : "error");
            }

      - if: steps.checkTag.outputs.exists == 'false'
        name: Check Tag
        id: check-tag
        shell: bash
        run: |
          set -euo pipefail
          if [[ "${{ steps.version.outputs.version }}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
            echo "match=true" >> "$GITHUB_OUTPUT"
          fi

      - name: ZIP Component Dir
        if: steps.check-tag.outputs.match == 'true'
        shell: bash
        run: |
          set -euo pipefail
          cd "${{ github.workspace }}/src/pyecotrend_ista"
          zip -r pyecotrend_ista.zip ./

      - name: Import GPG key (no PII)
        if: steps.check-tag.outputs.match == 'true'
        shell: bash
        env:
          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
          PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
        run: |
          set -euo pipefail
          mkdir -p ~/.gnupg
          chmod 700 ~/.gnupg
          printf 'allow-loopback-pinentry\n' > ~/.gnupg/gpg-agent.conf
          printf 'pinentry-mode loopback\n' > ~/.gnupg/gpg.conf
          gpg --batch --quiet --import <<< "$GPG_PRIVATE_KEY"

      - name: Debug Passphrase
        if: steps.check-tag.outputs.match == 'true'
        shell: bash
        env:
          PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
        run: |
          set -euo pipefail
          if [ -z "$PASSPHRASE" ]; then
            echo "Passphrase is empty!"
            exit 1
          else
            echo "Passphrase is set."
          fi

      - name: Sign ZIP file
        if: steps.check-tag.outputs.match == 'true'
        shell: bash
        env:
          PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
        run: |
          set -euo pipefail
          gpg --detach-sign --batch --yes --pinentry-mode loopback --passphrase "$PASSPHRASE" -a "${{ github.workspace }}/src/pyecotrend_ista/pyecotrend_ista.zip"

      - name: Create Release
        if: steps.check-tag.outputs.match == 'true'
        uses: softprops/action-gh-release@5be0e66d93ac7ed76da52eca8bb058f665c3a5fe # v2.4.2
        with:
          tag_name: ${{ steps.version.outputs.version }}
          name: v${{ steps.version.outputs.version }}
          draft: false
          prerelease: false
          token: ${{ secrets.GITHUB_TOKEN }}
          generate_release_notes: true

      - name: Upload zip to release
        if: steps.check-tag.outputs.match == 'true'
        uses: svenstaro/upload-release-action@6b7fa9f267e90b50a19fef07b3596790bb941741 # v2
        with:
          repo_token: ${{ secrets.GITHUB_TOKEN }}
          file: ${{ github.workspace }}/src/pyecotrend_ista/pyecotrend_ista.zip
          asset_name: pyecotrend_ista.zip
          tag: ${{ steps.version.outputs.version }}
          overwrite: true

      - name: Upload zip signature to release
        if: steps.check-tag.outputs.match == 'true'
        uses: svenstaro/upload-release-action@6b7fa9f267e90b50a19fef07b3596790bb941741 # v2
        with:
          repo_token: ${{ secrets.GITHUB_TOKEN }}
          file: ${{ github.workspace }}/src/pyecotrend_ista/pyecotrend_ista.zip.asc
          asset_name: pyecotrend_ista.zip.asc
          tag: ${{ steps.version.outputs.version }}
          overwrite: true

      # - name: Build and publish package to TestPyPI
      #   # if: steps.check-tag.outputs.match == 'true'
      #   env:
      #     TWINE_USERNAME: __token__
      #     TWINE_PASSWORD: ${{ secrets.TEST_PYPI_TOKEN }}
      #   run: tox -e test-publish -- --non-interactive

      # - name: Build and publish package to PyPI
      #   # if: steps.check-tag.outputs.match == 'true'
      #   env:
      #     TWINE_USERNAME: __token__
      #     TWINE_PASSWORD: ${{ secrets.PYPI_TOKEN }}
      #   run: tox -e publish

      - name: Build package
        shell: bash
        run: |
          set -euo pipefail
          pip install build
          python -m build

      - name: Publish package distributions to PyPI
        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
        with:
          skip-existing: true

      # - name: Publish package to TestPyPI
      #   uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
      #   with:
      #     user: __token__
      #     password: ${{ secrets.TEST_PYPI_TOKEN }}
      #     repository-url: https://test.pypi.org/legacy/
      #     skip-existing: true
      #     attestations: false